Attackers Shifting to CNP Exploits as EMV is Implemented for Credit Cards

Get the latest security news in your inbox.

Sometimes cybersecurity trends are counterintuitive. Credit and debit cards that use integrated circuit chips, EMV technology, were designed to be less vulnerable to fraud than the previous magnetic stripe only standard. But as more and more of us have EMV cards in our wallets, credit card fraud appears to be on the rise.

EMV is an acronym for Europay, MasterCard, Visa. Those three entities originally developed the standard. But now the standard is managed by the EMVCo consortium, and institutions around the world use it for credit and debit cards, including Interac, American Express, Discover, ZKA, JCB, RuPay, and Banrisul. Cards with the standard include magnetic stripes and raised lettering for backwards compatibility.

The enhanced security of the chip is only enjoyed with “card present” transactions through chip-reading ATMs and retail point-of-sale terminals. “Card present” transactions specifically exclude manual entry of the card number for an online purchase. Those transactions are referred to as “card not present” or CNP.

EMV implementation seems to be reducing fraud in “card present” transactions. In the United States, merchants that accept MasterCard and other EMV cards have been required to use EMV compliant terminals as of October 1st, 2015. When that requirement took effect, legal liability for credit card fraud was shifted from banks to retailers. According to a study by MasterCard, within less than a year, fraud incurred through EMV-compliant merchants reduced by 54%.

That's great news, right? It is if you are an American retailer that uses EMV-compliant terminals for “card present” transactions. But there's bad news for online retailers and other merchants that take CNP transactions.

For American retailers, the weekend between Black Friday and Cyber Monday, kicking off the holiday shopping season, is the most lucrative period of the year. And more and more Americans are shopping online than ever before. Well, per Iovation, CNP fraud during that weekend increased by 20% when comparing 2015 to 2016, and by a whopping 34% when comparing 2014 to 2016. Yikes!

An Aite Group/Iovation study estimated that credit card fraud in total would hit $4 billion in 2016, a record level. That's total credit card fraud, including “card present” and CNP transactions in the United States. Theoretically due to wider EMV implementation, attackers appear to be shifting their efforts from attacks which target magnetic stripes to cyberattacks which target CNP online retailing. The stolen card data then gets sold via the Dark Web, costing American consumers billions of dollars.

“It is going to get worse. We should still be going to EMV, but people should not get a false sense of security,” Aite Group research director Julie Conroy said.

That insight is reflected in the Javelin 2016 Identity Fraud report, published in February 2016. According to the report, there has been a 113% increase in new account fraud since EMV compliance was made mandatory on October 1st, 2015. That sort of fraud has more than doubled, and Javelin concludes that EMV implementation has been driving CNP attacks in the United States.

Obviously, ecommerce must step up its game. Perhaps, for instance, HTTPS should use better encryption standards to mitigate man-in-the-middle attacks. I heard someone suggest that EMV terminals should be made available to consumers as a peripheral for PCs and smartphones. If that was done, online retailers would need to have a backend to support the use of such peripherals. And of course end users would need to purchase the peripherals for their front end. But even if the theoretical peripherals were made reasonably affordable, let's say $50 to $100 each for example, would consumers actually buy them?

You probably don't, because those devices were a commercial failure. A former Dallas-based company called Digital Convergence distributed millions of CueCats to consumers for free back in 2000. The devices were designed to scan barcodes in print magazines, which would direct web browsers to a specific webpage. People didn't end up using their free CueCats very much. QR code technology, useable through smartphone and tablet cameras with specialized apps, serves the same sort of function these days. But people don't use QR codes very often, either.

Home EMV readers would be a hard sell. I also don't think smartphones and tablets in the future are going to have physical ports to take EMV card chips.

Manufacturers, the security industry, and the financial industry all must focus on CNP hardening, and collaborate. Also, many cybersecurity professionals are employed by banks and payment technology vendors, so there is special focus on their work. It will continue to be an uphill battle.

About the Author:Kim Crawley, Guest BloggerKim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related.By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital.
Read more posts from Kim Crawley ›